Featured Product
This Week in Quality Digest Live
Standards Features
Megan Wallin-Kerth
Thermo Fisher has a team that is primarily an IT department dedicated to quality
Peter Bilello
How best to keep all the moving parts in the digital enterprise from running off the rails
Del Williams
Options to address the risk of combustible dust explosions for NFPA 61 compliance
Craig Matthews
And how to get a job done right
Medical device manufacturers get additional three or four years, depending on risk class

More Features

Standards News
New lines improve software capability and analysis
Automotive cybersecurity on Feb. 9, and AS9145 on Feb. 28
Keeping consumers protected and happy is the key
Automates adherence to guidance from leading quality and risk-management standards
Review will assess how Baldrige Performance Excellence Program can best advance U.S. competitiveness
Better manufacturing processes require three main strategies

More News

Inderjit Arora


ISO Guidelines vs. Requirements

Guidelines are valuable inputs in implementing ISO 9001, but they can’t be used as requirements

Published: Monday, March 30, 2020 - 11:03

ISO 9001 lead-auditor training should enable auditors to focus on the requirements when auditing and to stay away from the pitfall of guidelines.

Take the case of ISO 9001 or, for that matter, any management system standard. The standard has notes to explain the clauses. ISO 9001’s clause 4.1, for example, has three notes. Are these integral to the clause? Yes and no. Yes, because they are explaining an important aspect of the clause. No, because though these are valuable inputs for designing questions and an in implementing ISO 9001, they can’t be used as requirements. Nonconformities, as the drivers of correction and corrective action, are fundamental to the implementation of ISO 9001. ISO 9001 lead-auditor training must clearly outline for students that a nonconformance is the nonfulfillment of a requirement. Notes are not a requirement of the clause.

Similarly, guidelines issued by organizations can never be requirements. Often, leadership takes credit for any success attributed to good guidelines. Ironically, if the guidelines result in any failure, then top management is bound to challenge the competence of midlevel managers by reminding them that guidelines are just guidelines! ISO 9001 lead-auditor training, as certified by Exemplar Global, clarifies the need for auditors to focus only on requirements when auditing.

I’m a member of TAG-176, the ISO technical committee that works to monitor ISO 9001 and update it when the time comes to do so. Annex B to ISO 9001 provides TC-176-developed guidance to organizations in implementing ISO 9001. Again, remember that these can’t be used to add or modify the clauses of ISO 9001, or for that matter, to interpret any standard.

When looking at and interpreting ISO 9001 Clause 8.5.5—“Post-delivery activities” or ISO 9001 Clause 9.1.2—“Customer satisfaction,” you may consider the wisdom of ISO 10001:2018: “Quality management—Customer satisfaction—Guidelines for codes of conduct for organizations.” However, if the organization is not conforming to these guidelines, a nonconformity can’t be issued.

Similarly, ISO 10002 guidelines for complaints handling are useful, as are ISO 10003 guidelines for dispute resolution external to organizations, and so on to ISO 10004, ISO 10005, right through to ISO 10019. These are all very important input and yet, nevertheless, guidelines.

ISO 19011:2018: “Guidelines for auditing management systems” is more widely used as the guidance on management of an audit program. This standard also forms a core part of the curriculum for ISO 9001 lead-auditor training. The basics of planning and conducting an audit as well as evaluating an auditor’s competence is part of this guideline. Again, these are but guidelines. It is for top management and leadership to correctly interpret and apply the guidelines wisely to their organizations. Auditors, having completed their ISO 9001 lead-auditor training, must conduct their audits in an objective manner and provide useful inputs to management to make wise decisions.

ISO 9001 and other management system standards are only as good and useful as the implementation that is carried out. ISO 9001 auditors, too, need a good ISO 9001 lead-auditor training foundation to assess the implementation based on interpretations of the clauses of the selected standard. Leadership may choose to implement an integrated management system based on several standards. When auditing and using the various guidelines, it is important that the meaning of guidelines not be mixed with requirements.

This of course does not take away a leadership prerogative of converting any selected guidelines to requirements by so stating it in the management system. The point here is not to mix guidelines and requirements. When these are mixed, it makes a potent mixture for the failure of a management system. ISO 9001 lead-auditor training should ensure that your auditors steer clear of auditing to guidelines. Guidelines confuse users, auditors, leadership, and others, resulting in poor implementation of ISO 9001 or any other ISO standard or industry-specific standard. Mixing guidelines and requirements is enemy No. 2 of a management system. Enemy No. 1 is writing a management system to the clauses of standard, ISO 9001 or any other standard.

During the 30-plus years that QMII has helped clients, our experience is that management systems that mix guidelines complicate matters by contravening the caution in the ISO 9001 introduction, section 0.1 (d) second bullet, where it says clearly that it is not the intent of the standard to imply the need for “alignment of documentation to the clause structure of this International Standard.” Yet, during my 20 years of experience, I’ve seen 70 percent of management systems based on ISO 9001 aligned to the clauses. I often ask why. The answer is that it’s easier for auditors to audit. Management forgets that the management system is written for employees, for users, those who work according to processes and not to clauses. QMII’s ISO 9001 lead-auditor training, used and improved continuously since the 1980s, enables auditors to prepare for systems that are unique and developed around the users rather than aligned to clauses.


About The Author

Inderjit Arora’s picture

Inderjit Arora

Inderjit Arora is the President and CEO of Quality Management International Inc. (QMII). He serves as a team leader for consulting, advising, auditing, and training in management systems. He specializes in several ISO and industry specific standards. He is an Exemplar Global certified Lead Auditor and is on the US TAG-176 committee, and a member of the US Submarine League. IJ  is a popular speaker at several universities and forums on management systems, conflict management, crisis communication and leadership. Dr. Arora is a Master Mariner with an MBA from the College of William and Mary and additionally MSC in defense studies and graduation in nuclear sciences. He has a 32 year record of achievement in the military, mercantile marine, and civilian industries. He writes a blog and contributes to several professional magazines, including Quality Digest. His articles have been published in the USCG Proceedings.


ISO Guidelines vs. Requirements

Thank for your article.

I have three points please:

 1)    Now we can see so many certification bodies giving certification on some of the ISO guidelines such as ISO 10002 , and if the organizations didn’t meet the guidelines they issued NOC

2)    So the leadership has the authority to change the suggested guidelines practices to mandatory requirements, am I right?

3)    Sorry what do you mean of, enemy No. 1 is writing a management system to the clauses of standard, ISO 9001 or any other standard?

Many thanks in advance.



Reply to Omar by the author

Omar thank you for appreciating my article. Much appreciate. I am glad you saw merit in what I wrote.

Let me start by addressing your last point: "Enemy No. 1 is writing a management system to the clauses of standard, ISO 9001 or any other standard".  You will observe some management me systems are simply written to clauses. Which means when you open e.g. a quality manual you see description for  clause 4.1, then to 4.2 and so on. But you will agree organizations work to processess. There should be a core process to show the interaction between key processes (ISO 9001:2015 clause 4.4.1 b). Employees in an organization work to procedures and work instructions. If you write system to clauses, employees find it hard to see where they or their work fits in.

The standard itself is never (not meant to be) prescriptive or descriptive. It has to be interpretted. So in your second point your conclusion is correct. Leadership (with their team) interpret the system standard (ISO 9001:2015 or other relevant standard) to design their management system. They can create requirements. Where required procedures should be updated to reflect reality. By all means they can have guidelines to explain some aspects, but then these guidelines can not be taken as requirements.

I am answering your first question last! It is because it flows from the point above. All interpretations made by Leadership become requirements. In some cases there are statutory or legal requirements. These must be met. Now if there is a guideline for which, the organization needs an industry specific interpretation, it may choose a certifying body. 

I hope this answers your questions. Please feel free to contact me or send an e-mail should you need further information/ clarification.


Auditor Training & Guidelines

Thank you sir for your article. I agree that there is a key difference between guidelines and requirements. 

I shall share with you that I too have built the majority of our QMS around the standard clauses, though thankfully not by number. My reasoning is the same, ease of auditing. Further explanation is that when audited, if the auditor cannot easily see conformity to the documented requirements, they have a tendancy to view it as a nonconformity. The reality being their limitation on seeing conformity within the system if it is not following the same structure as the standard.

In short, I agree that an emphasis needs to be made on how the standards are taught to auditors so that they truly understand the requirements (and guidelines) and that they can view a QMS beyond the same format as it appears in the standard. I have even seen cases where auditors will view our system as nonconforming because we didn't use the same words that appear in the standard.

Again, thank you for this perspective. I found it refreshing and will save it for future reference.


Reply to Ted by the author

Ted thank you for reading my article and agreeing to the views. I too see the point you are making, However, over these 20 odd years, of consulting, auditing and training on several standards, I have followed the interpretation of ISO 9001:2015 clause 4.4.1b. I write a management system, first based on the "as-is" of the system. That means no templates. I capture the system as it is, then get the gaps with the requirements. 

To help auditors (and you rightly said, some of the auditors need help!!) not give NCs just because they could not understand the system, I create a table which the Quality Manager, other management positions can keep handy. In this table, I have the clauses of the standard on side and the procedure number along the top. So now you have a management system written to procedures, and still a cheat sheet avaiable to show how the relevant clause has been met by the management system procedures.

Hope that helps. Thank you for your comments.


IJ / President & CEO QMII